MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db5d4a5090c7303616f88db08a22abc975804ae1abdef9740c208c004648255b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db5d4a5090c7303616f88db08a22abc975804ae1abdef9740c208c004648255b
SHA3-384 hash: 1e350e7e108b61f8878902b1ab6c384e5059631f4f3a389f8c3774b6dab07557b4a1b8531d48f5a8c6e561e843d18582
SHA1 hash: 5f7226f27b0106f6050ce61d78e9c0fc8cfb8373
MD5 hash: 024cde85d1a11c1b2e6749ec80b50fad
humanhash: sodium-bluebird-oranges-spaghetti
File name:Attached PO 30745.scr
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'907'759 bytes
First seen:2021-08-23 18:08:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 49152:KynUHNR9PKXUm1WHyilGSvn/5Kaq1rO5n8UXRaa/B03ak8JqFJ7BHKQk6j:KyUHNjSXUmIHy8Zv/Uaq1yJqak8JqbFR
Threatray 878 similar samples on MalwareBazaar
TLSH T101D5235036D25731E472183A0DEC5665AABCBC312B35588F6368253E9E348D0E736FBB
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter malwarelabnet
Tags:BitRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Attached PO 30745.scr
Verdict:
Suspicious activity
Analysis date:
2020-09-16 16:19:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dfd01a39-8646-40f0-94eb-7a6dadfcb191

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181597/
Detection(s):
Win.Trojan.Fbkatz-9833203-0
Create hunting rule

Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.44081008.21193.10752.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Sending a UDP request
Creating a process from a recently created file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7ab283b-39b5-41fc-a0a6-b084d86baa83
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/457656
Signature
Antivirus detection for dropped file
Creates files in alternative data streams (ADS)
Hides threads from debuggers
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 281216 Sample: KPFoYO2SVi Startdate: 02/09/2020 Architecture: WINDOWS Score: 80 78 Antivirus detection for dropped file 2->78 80 Multi AV Scanner detection for dropped file 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 2 other signatures 2->84 11 KPFoYO2SVi.exe 9 2->11         started        14 Desktop.exe 2->14         started        16 Desktop.exe 2->16         started        process3 file4 66 C:\Users\user\AppData\Local\...\bitsfx.txt, PE32 11->66 dropped 18 cmd.exe 1 11->18         started        20 Desktop.exe 14->20         started        23 Desktop.exe 16->23         started        process5 signatures6 25 cmd.exe 1 18->25         started        27 conhost.exe 18->27         started        92 Hides threads from debuggers 20->92 process7 process8 29 bitsfx.txt 9 25->29         started        33 conhost.exe 25->33         started        file9 70 C:\Users\user\AppData\Local\Temp\...\bit.txt, PE32 29->70 dropped 98 Multi AV Scanner detection for dropped file 29->98 100 Machine Learning detection for dropped file 29->100 35 Desktop.exe 29->35         started        38 cmd.exe 1 29->38         started        40 cmd.exe 1 29->40         started        signatures10 process11 signatures12 86 Antivirus detection for dropped file 35->86 88 Multi AV Scanner detection for dropped file 35->88 90 Machine Learning detection for dropped file 35->90 42 Desktop.exe 1 7 35->42         started        47 cmd.exe 1 38->47         started        49 conhost.exe 38->49         started        51 cmd.exe 1 40->51         started        53 conhost.exe 40->53         started        process13 dnsIp14 72 109.104.157.24, 49735, 49765, 49768 ITIRANA-AL-ASImportfromPronetAL Albania 42->72 74 myexternalip.com 216.239.32.21, 443, 49736, 49766 GOOGLEUS United States 42->74 76 192.168.2.1 unknown unknown 42->76 68 C:\Users\user\AppData\Local:02-09-2020, ASCII 42->68 dropped 94 Creates files in alternative data streams (ADS) 42->94 96 Hides threads from debuggers 42->96 55 xcopy.exe 3 47->55         started        58 conhost.exe 47->58         started        60 conhost.exe 51->60         started        62 reg.exe 1 1 51->62         started        file15 signatures16 process17 file18 64 C:\Users\user\AppData\Roaming\...\Desktop.exe, PE32 55->64 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db5d4a5090c7303616f88db08a22abc975804ae1abdef9740c208c004648255b/
Threat name:
Win32.Trojan.Johnnie
Create hunting rule
Status:
Malicious
First seen:
2020-09-03 22:17:10 UTC
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
12c65e9b2189c8853552288feac6470dcc8ffe458f33c43d95146a420045c7ac
BitRAT
3419cd3aa1836577742af73aefa4d0fd5a198cbc4474af670408e6752f0dd89e
BitRAT
384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc
BitRAT
3bd0eb640c37fb31423b560aeb5bf4f9f6117cb60c2a9e4509b7a0db80e0a092
BitRAT
79ac302029ae7a3c7601260bb855725bd568f3b1c3730dca0edd74d72a5b9efb
BitRAT
7a79f0c95e891b939e275fa19e641b676f2eb70471945fb3b15d6a649cafe071
BitRAT
a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65
BitRAT
a96e7065e6d2e724aa734cbdd99467f3c25f079da753c7681ee9d3c4bb6259f5
BitRAT
eddbfe52ba633950c388e0303d5a04453f9ba9e3a3cdc60f9a1355707cd209e6
BitRAT
+ 868 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210823-pynltwlvy2/
Behaviour
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
db5d4a5090c7303616f88db08a22abc975804ae1abdef9740c208c004648255b
MD5 hash:
024cde85d1a11c1b2e6749ec80b50fad
SHA1 hash:
5f7226f27b0106f6050ce61d78e9c0fc8cfb8373
Link:
https://www.unpac.me/results/14648ac5-15d0-4b56-97a9-6231bd71819b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/db5d4a5090c7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db5d4a5090c7303616f88db08a22abc975804ae1abdef9740c208c004648255b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:bitrat_bin
Create hunting rule
Author:James_inthe_box
Description:BitRAT
Reference:https://app.any.run/tasks/52b45503-81fe-426c-93a1-bbfb04f677e1
Rule name:win_bit_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:Xenarmor_bin
Create hunting rule
Author:James_inthe_box
Description:Xenaormor Crapware
Reference:e524b801fd77238e3da5755ade262f700e244768a312dc7897bb68e370607fae
Rule name:Xenarmor_mem
Create hunting rule
Author:James_inthe_box
Description:Xenaormor Crapware
Reference:e524b801fd77238e3da5755ade262f700e244768a312dc7897bb68e370607fae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/181597/

Comments